ISO 37001 - Anti-bribery management -

Everyone knows that bribery hinders society development, increases poverty, erodes justice, distorts competition, increases the costs of doing business, destroys trust in institutions and may lead to loss of life and property.
The efforts of governments and local authorities managed, in many countries, to fight bribery wth some succes; but its obvious that law alone is not enough.

That's why in 2016, ISO published this standard - ISO 37001 to define the requirements for an anti-bribery management system.
ISO 37001 is meant to help organizations prevent, detect and address bribery cases.
Among other aspects, organizations are required to define an anti-bribery policy, perform risk assessments, define financial and non-financial controls, train employees, address the bribery risks associated to the activities of business partners and controlled organizations and investigate bribery cases.

ISO 37001 is applicable to any organization regardless of its size, structure or activity; regardless if it is a private business, a public institution or a not-for-profit organization. This standard is meant to address both the bribery initiated by the organization's personnel or by individuals acting on its behalf; as well as bribery situations that the organization can be subject to.

Although conformity to ISO 37001 does not eliminate completely bribery risks, such a certification demonstrates that there is a strong commitment of the organization in this direction and that there are controls in place to address bribery.

RIGCERT offers ISO 37001 audit and certification services that confirm an organization's openness to be evaluated externally in this sensible aspect; as well as its demonstrated commitment to put in place internationally recognized good practice anti-bribery controls.

frequently

asked questions

It is a set of elements (policies, processes and procedures) used by an organization to fulfil its objectives and perform its tasks. A management system can address a single discipline (e.g. quality management system or information security management system) or several disciplines at the same time, in what is referred to as an integrated management system. It is the choice of the organization what type of management system it chooses to implement and certify.

For every discipline there are specific standards that define the requirements for a management system (e.g. ISO 9001, ISO 14001 or ISO/IEC 27001). An organization wishing to obtain the certification of its management system has to demonstrate during an initial certification audit that it fulfils the requirements of the specific standards used as reference for certification.

Regardless of the discipline all management systems generally require organizations to define roles, responsibilities and authorities for personnel, document policies, establish objectives and actions to achieve them, demonstrate operation in controlled conditions, monitor, measure, analyze and evaluate performance and act to continually improve the system.

A management system can be implemented by the organization using internal resources or with the help of external consultants . The management system needs to be maintained and continually improved.

To be useful, a management system should become an integral part of the organization’s activities and not a set of requirements separated from operational routine.

The support from top management is vital for the success of a management system in the organization.



Certification is an attestation from a third party (usually called registrar or certification body) that the management system implemented by an organization fulfills the requirements of applicable standard(s).

So, in fact, not the organization is the subject of certification but its management system.



The certification process begins with the application sent by the organization looking to obtain certification. It has to be a written application and its useful to the certification body for understanding what is required and to plan the resources needed to provide the certification services.

A contract for the certification is signed.

The certification audit is done to evaluate how the requirements of the standard(s)/ reference documents are implemented. The audit team is made of one or several members and the audit duration depends on a series of factors like the standards for certification involved, the size of the organization, its activities. locations, etc.

In case the conclusions of the audit are positive and there are no other elements that may affect the certification, the certification body issues the conformity certificate(s).

The document General rules for the certification of management systems contains detailed information about how the certification process works, what are the requirements for obtaining and maintaining certifications.



Management system certifications are valid for 3 years, with the condition that successful yearly surveillance audits are performed (in the first and second year after certification). Surveillance audits are meant to evaluate if the management system certified continues to respect applicable requirements.

The certification program is the document that specifies the planning of surveillance audits and it is communicated to the organization at certification date.

In the third year the recertification audit takes place and the organization enters another 3-year certification cycle in similar conditions as the previous.



In case surveillance audits are not performed as scheduled the certification may be suspended. During suspension the certification is temporarily invalid. If during suspension the situation is not corrected the certification is withdrawn.



Appeals refer to decisions of RIGCERT with regards to a certain certification (e.g. not granting, suspending, withdrawal, etc) while complaints may refer to a series of aspects like: the personnel working on behalf of RIGCERT, activities of the organizations certified by RIGCERT, activities of third parties connected to RIGCERT, etc.

Appeals and complaints should be sent at office@rigcert.org and are treated confidentially.

RIGCERT personnel involved in the review and decision regarding a certain appeal or complaint have not been involved in the case being reviewed.

The review can include actions like performing special audits, request of information from the parties involved and is concluded with a formal decision communicated to the appellant and/ or complainant.

Detailed information on the appeals and complaints handling process are available in the document General rules for the certification of management systems.



do you

Want to work with us

Complete the form below with your personal information and we will contat you as soon as possible.